P
Is necessary or mandatory to have a documented procedure for risk management? (As all the steps and procedure have written in our existing risk management file).
NOTE 3 See ISO 14971 for guidance related to risk management.
The standard asks for "documented requirement", and not "documented procedure" like requirement of 4.2.3 Control of Documents. To me it is okay to have "multiple" documents as evidence on how we do risk management, and not necessary a procedure.
In Note 3, the word "guidance" means to me "we can refer" but not compulsory to follow.
We have the same conversation with our CB auditor, and finally they end the discussion and no NC on risk management.
I do not know the reason why your auditor issue you NC, may be there is other reasons, please check it out.
Welcome comment and opinion.